Full-tunnel VPN DNS leakage regression
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
NetworkManager |
Expired
|
Medium
|
|||
network-manager (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Won't Fix
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Till Kamppeter | ||
Cosmic |
Fix Released
|
High
|
Unassigned | ||
systemd (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Won't Fix
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Dan Streetman | ||
Cosmic |
Fix Released
|
High
|
Dan Streetman |
Bug Description
[Impact]
When using a VPN the DNS requests might still be sent to a DNS server outside the VPN when they should not
[Test case]
1) Set up a VPN with split tunneling:
a) Configure VPN normally (set up remote host, any ports and options needed for the VPN to work)
b) Under the IPv4 tab: enable "Use this connection only for the resources on its network".
c) Under the IPv6 tab: enable "Use this connection only for the resources on its network".
2) Connect to the VPN.
3) Run 'systemd-resolve --status'; note the DNS servers configured:
a) For the VPN; under a separate link (probably tun0), note down the IP of the DNS server(s). Also note the name of the interface (link).
b) For the "main" connection; under the link for your ethernet or wireless devices (wl*, en*, whatever it may be), note down the IP of the DNS server(s). Also note the name of the interface (link).
4) In a separate terminal, run 'sudo tcpdump -ni <the main interface> port 53'; let it run.
5) In a separate terminal, run 'sudo tcpdump -ni <the VPN interface> port 53'; let it run.
6) In yet another terminal, issue name resolution requests using dig:
a) For a name known to be reachable via the public network:
'dig www.yahoo.com'
b) For a name known to be reachable only via the VPN:
'dig <some DNS behind the VPN>'
7) Check the output of each terminal running tcpdump. When requesting the public name, traffic can go through either. When requesting the "private" name (behind the VPN), traffic should only be going through the interface for the VPN. Additionally, ensure the IP receiving the requests for the VPN name is indeed the IP address noted above for the VPN's DNS server.
If you see no traffic showing in tcpdump output when requesting a name, it may be because it is cached by systemd-resolved. Use a different name you have not tried before.
[Regression potential]
The code change the handling of DNS servers when using a VPN, we should check that name resolution still work whne using a VPN in different configurations
-----------------
In 16.04 the NetworkManager package used to carry this patch:
http://
It fixed the DNS setup so that when I'm on the VPN, I am not sending unencrypted DNS queries to the (potentially hostile) local nameservers.
This patch disappeared in an update. I think it was present in 1.2.2-0ubuntu0.
This security bug exists upstream too: https:/
It's not a *regression* there though, as they didn't fix it yet (unfortunately!)
CVE References
information type: | Private Security → Public Security |
tags: | added: incoming rs-bb- |
tags: |
added: rls-bb-incoming removed: incoming rs-bb- |
Changed in network-manager (Ubuntu): | |
assignee: | nobody → Olivier Tilloy (osomon) |
tags: | removed: rls-bb-incoming |
Changed in network-manager: | |
importance: | Unknown → Medium |
status: | Unknown → Confirmed |
Changed in network-manager: | |
status: | Confirmed → Fix Released |
tags: |
added: verification-done-bionic removed: verification-needed verification-needed-bionic |
description: | updated |
Changed in systemd (Ubuntu Cosmic): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in systemd (Ubuntu Bionic): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in systemd (Ubuntu Xenial): | |
assignee: | nobody → Dan Streetman (ddstreet) |
assignee: | Dan Streetman (ddstreet) → nobody |
Changed in systemd (Ubuntu Cosmic): | |
importance: | Undecided → High |
status: | New → In Progress |
Changed in systemd (Ubuntu Bionic): | |
status: | Triaged → In Progress |
tags: | added: ddstreet-next |
tags: |
added: verification-needed verification-needed-bionic verification-needed-cosmic removed: verification-failed verification-failed-bionic |
Changed in systemd (Ubuntu Cosmic): | |
status: | In Progress → Fix Committed |
Changed in systemd (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in network-manager (Ubuntu Bionic): | |
assignee: | Olivier Tilloy (osomon) → Till Kamppeter (till-kamppeter) |
Changed in network-manager (Ubuntu Cosmic): | |
status: | New → Won't Fix |
tags: |
added: verification-done verification-done-bionic removed: verification-needed verification-needed-bionic verification-needed-cosmic |
Changed in systemd (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
Changed in systemd (Ubuntu Cosmic): | |
status: | Fix Committed → Fix Released |
tags: | removed: ddstreet-next |
Changed in network-manager (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in network-manager: | |
status: | Fix Released → Confirmed |
Changed in network-manager: | |
status: | Confirmed → Expired |
Changed in network-manager (Ubuntu Xenial): | |
status: | Confirmed → Won't Fix |
Changed in systemd (Ubuntu Xenial): | |
status: | Invalid → Won't Fix |
Confirming this is broken. Dropping the patch 0001-dns- use-DBus- to-make- dnsmasq- nameserver- changes. patch in network-manager (1.2.4- 0ubuntu0. 16.04.1) was done, but it looks like not all the code in that patch was actually upstream.